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ABSTRACT 


An  algorithm  is  presented  for  computing  the  exact 
failure  probability  for  binary  systems  represented  as  fault 
trees.   This  algorithm  does  not  rely  on  cut  sets.   Instead, 
it  applies  recursive  pivotal  decomposition  together  with 
probabilistic  structural  reductions  and  modularization 
directly  to  the  fault  tree.   A  further  capability  of  the 
algorithm  is  the  sequential  printing  of  equations  to  form  a 
function  for  a  specific  fault  tree  which  computes  system 
failure  probability  given  the  basic  event  probabilities. 
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I.   INTRODUCTION 

Fault  trees  are  used  in  many  fields  of  application  to 
aid  in  assessing  the  probability  of  failure  of  a  complex 
binary  system  as  a  result  of  sub-system  or  component  failures. 
An  algorithm  is  presented  here  for  computing  the  exact  failure 
probability  for  binary  systems  represented  as  fault  trees. 
Due  to  the  improved  efficiency  of  this  algorithm  over  those 
currently  in  use,  reliability  engineers  and  other  users  will 
find  it  useful  for  conducting  fault  tree  analyses  in  which 
multiple  computations  of  failure  probabilities  are  needed. 

Fault  trees  are  commonly  used  models  to  represent  failures 
in  complex  electrical,  mechanical,  and  other  systems.   Their 
use- originated  in  1961  at  Bell  Telephone  Laboratories  in  the 
safety  assessment  of  the  Minuteman  Launch-Control  System 
[Ref.  1] .   Since  then  many  other  applications  for  fault  trees 
have  been  found.   Arnborg  [Ref.  2]  refers  to  their  use  in 
weapons  effectiveness  models,  and  Atkinson  [Ref.  3]  uses  a 
fault  tree  model  to  analyze  a  naval  weapons  system.   Ball 
[Ref.  4]  uses  fault  trees  to  identify  critical  zones  and 
components  of  aircraft  subjected  to  anti-aircraft  fire.   Other 
areas  in  which  fault  tree  models  have  been  applied  include 
nuclear  power  plant  safety  [Refs.  5,6,7,8],  electrical  sys- 
tems [Ref.  9],  computer  hardware  design  [Ref.  10],  and  chemical 
processing  [Ref.  11]. 


Efficient  methods  for  computing  the  probability  of  system 
failure  or,  equivalently ,  system  reliability  are  needed  for 
users  with  large  fault  trees  to  analyze.   One  use  for  such 
computations  is  in  obtaining  importance  measures  for  basic 
events  or  component  failures.  Importance    measures    are  methods 
of  assigning  numerical  values  to  basic  events  which  in  some 
way  gauge  how  critical  a  component  is  to  system  reliability. 
These  values  are  useful  for  sensitivity  analysis.   For  example 
in  an  electrical  circuit  the  failure  of  a  component  linked  in 
series  will  be  more  critical  to  system  reliability  than  will 
the  same  component  linked  in  parallel.   In  a  complex  system 
such  structural  characteristics  may  not  be  so  obvious.   Impor- 
tance measures  will  reflect  the  relative  importance  to  the 
system  resulting  from  system  structure  and  component  charac- 
teristics for  each  component.   Lambert  [Ref.  12]  discusses 
four  measures  of  event  importance  which  can  be  computed 
exactly  or  approximately  given  a  method  for  computing  system 
reliability. 

Needs  exist  for  efficient  system  reliability  computations 
for  other  uses.   Mizukami  [Ref.  13]  and  Derman,  et  al.  [Ref. 
14],  discuss  constrained  problems  of  resource  allocation  with 
the  objective  of  maximizing  system  reliability  such  as 

max  h  (p_(y_)  ) 

s.t.   Jy.   <   A 


where  y.  is  the  amount  of  resource  allocated  to  component  i, 
p_(y_)  is  an  m-vector  of  failure  probabilities  of  the  components 
given  y_,  an<3  h(p_(y_))  is  the  system  reliability.   Since  h(p_(y_)) 
is  nonlinear,  this  problem  requires  a  solution  using  nonlinear 
programming  techniques  [Ref.  15].   Most  of  these  techniques 
require  computation  of  the  objective  function  gradient  at 
each  iteration.   Each  component  i  in  the  gradient  evaluated 
at  y_  is  given  by 


a.        9h  3p.  3p. 

W7     =      Ij^W1      =      I(h(E(Z)|Pj  =D  -  h(p_(y)  |p  =0))  ^ 


Thus  each  gradient  computation  requires  2m  computations  of 
h(p_(y_))  . 

In  some  binary  systems  the  failures  of  some  of  the  basic 
components  are  statistically  dependent.   In  these  cases, 
computation  of  system  failure  probability  requires  numerical 
integration.   For  instance,  if  components  i,  j,  and  k  are 
dependent  while  all  other  component  failure  probabilities  are 
independent,  then  system  failure  probability  g (p)  can  be 
found  using 


111 
9(P)   =   /  /  /   9<Rl  (Pi  =xi'Pj  =xj  'Pfc  =xk))f  (xi'xj  .xk)dxidxjdxk 

where  g(p|(p.  =x.  ,p.  =x.,p,  =  x,  ))  is  the  system  failure 
probability  with  the  probabilities  of  components  i,  j,  and  k 
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fixed,  and  f(x.,x.,x,)  the  joint  probability  density  function 
1   j   k 

of  components  i,  j  ,  and  k.   Numerical  integration  of  this 
function  requires  many  computations  of  system  failure  proba- 
bility.  The  more  rapidly  that  g  (pj  (p.  =x.,p.  =  x  .  ,p,  =  xv)  ) 
can  be  computed,  the  smaller  the  increments  of  numerical 
integration  can  be,  and  the  more  accurate  g(p_)  will  be. 

Many  fault  trees  used  in  applications  are  quite  large. 
Arnborg  [Ref.  2]  states  that  some  of  the  military  models  used 
in  practice  require  as  many  as  100,000  evaluations  of  fault 
trees  containing  as  many  as  1000  basic  components  to  evaluate 
performance  over  different  tactical  situations.   Reliability 
optimization,  numerical  integration,  and  importance  determina- 
tion cannot  be  performed  on  some  of  these  larger  fault  trees 
given  current  methods.   It  is  obvious  that  a  need  exists  for 
more  efficient  methods  to  compute  system  failure  probability 
for  binary  systems. 

A.   DEFINITIONS  AND  NOTATION 

A  fault  tree  is  used  to  represent  a  binary  system.   A 
binary    system    is  a  system  in  which  all  components  and  the 
entire  system  are  assumed  to  be  either  completely  operational 
or  completely  failed.   A  binary  system  is  denoted  (C,$)  where 
C  is  the  set  of  components    and  $  is  a  binary  function  of  the 
component  states.   Let  x.  e    {0,1}  represent  the  state  of  the 
ith  component  of  a  binary  system  with  m  components.   The  system 
state  is  given  by  $ (x)  e    {0,1},  where  x  =  (x, ,x~,...,x  )  is 
the  system  state    vector.       If  x.  =  0,  then  the  state  vector  x 
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is  written  (0 . ,x)  where  x.  is  arbitrary  for  j  f    i.   Setting 
x.  =  1  yields  a  state  vector  of  (l.,x).   Likewise  if  every 
basic  component  i  is  assigned  a  probability  p.,  then 
P  =  (P-i  /Pp  /  •  •  •  /  P  )  is  a  vector  of  given  probabilities.   The 
probability  of  a  system  failure  is  given  by  g(p_),  and  system 
reliability  is  given  by  h(p)  =  1  -  g(p_)  .   If  p.  =  0,  then  the 
vector  p  is  denoted  (0.,p_)  where  p.  maintains  its  original 
value  for  all  j  f   i.   Similarly,  setting  p.  =  1  yields  the 
vector  (1 . ,p) . 

A  binary  system  can  be  coherent  or  noncoherent.   A  system 
is  coherent    if  $  is  monotonically  increasing,  and  all  components 
are  relevant.   Component  i  is  relevant    if  $(l.,x)  ^  <f>(0.,x)  for 
some  value  of  the  state  vector  x.   If  the  system  state  is 
constant  in  x.  for  all  values  of  x,  then  component  i  is 
irrelevant    [Ref.  16:  p.  6]. 

Fault  trees  are  the  most  commonly  used  models  of  binary 

systems.   A  fault  tree  is  denoted  F  =  (E,L)  where  E  is  the  set 

-> 
of  events,    and  L  is  the  set  of  links.      An  event  e.  e    E  is  a 

l 

pair  e.  =  (v.,t.)  where  v.  e  V  is  the  event    vertex    and  t.  e  T 
c  l      l   l  l  l 

is  the  event    type    .   Events  are  connected  by  links 

-> 
I .  .    =  (v.,v.)  e    L  where  the  ordered  pair  (v., v.)  denotes  a 

directed  link  from  e.  to  e . .   Link  I .  .    transmits  the  output 

from  event  e.  to  the  input  of  event  e..   The  out-degree    of 

-> 
e.  is  the  number  of  j  such  that  (v., v.)  e  L.   The  in-deqree 
i  J  i   j  v 

of  e.  is  the  number  of  i  such  that  (v., v.)  e  L. 
D  i   : 

Three  graphs-  derived  from  F  will  be  useful.   H  =  (V,L) 
is  a  directed  graph  with  links  directed  "upward"  as  in  F; 
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H  =  (V,L)  is  similar  to  H  but  with  its  links  directed  in  the 
opposite,  i.e.,  "downward",  direction;  and  H  =  (V,L)  is  an 
undirected  graph  where  L  is  L  taken  as  an  unordered  set. 

A  further  requirement  for  F  to  be  a  fault  tree  is  that  H 
be  acyclic  and  possess  a  unique  vertex  v.  >  v.  for  all 
v.  ?*  v.  in  any  acyclic  ordering  of  V.   In  the  graph  H,  v. 
corresponds  to  the  top    event   e.  of  F.   The  state  of  the  top 
event  is  the  system  state  $(x)  .   The  top  event  is  dependent 
on  intermediate  and  basic  events  and  has  out-degree  zero. 
Intermediate    events     (or  logic    events)    are  any  events  with  out- 
degrees  and  in-degrees  both  greater  than  zero.   A  basic    event 
represents  a  system  component,  and  has  in-degree  zero.   The 
number  of  basic  events  is  m.   For  now,  it  is  assumed  that  all 
basic  events  are  statistically  independent,  randomly  occurring 
events . 

For  examples  of  fault  tree  event  types  consider  a  model 
of  a  complex  tactical  aircraft.   This  aircraft  is  composed 
of  many  basic  components  such  as  electrical  generators, 
hydraulic  pumps,  flight  control  cables,  and  others  for  which 
failures  can  be  assumed  to  be  statistically  independent.   (For 
this  aircraft  assume  that  these  components  are  independently 
powered.)   The  failures  of  these  basic  components  are  repre- 
sented in  a  fault  tree  by  basic  events.   Each  of  these  com- 
ponents is  a  part  of  a  greater  system,  i.e.,  electrical, 
hydraulic,  and  flight  controls,  respectively.   Failures  of 
these  sub-systems  become  the  intermediate  events  of  the  fault 
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tree.   Failures  in  basic  components  cause  failures  in  inter- 
mediate components  which  may  ultimately  lead  to  occurrence 
of  the  top  event,  aircraft  failure. 

In  the  fault  tree  each  event  has  a  type,  t.  e  T.   For  the 
top  and  intermediate  events,  t.  denotes  a  logic  type,  e.g., 
AND,  OR,  while  for  basic  events,  t.  is  type  BASIC.   Any  event 
with  an  out-degree  greater  than  one  represents  a  ve-plicated 
event.      The  number  of  replicated  events  in  the  fault  tree  is 
denoted  by  r. 

Table  1-1  shows  the  logical  operations  performed  at  e . 

on  the  events  e.  linked  into  e.  by  the  links  I.   .. 

1  j      *  ij 


TABLE  1-1 
Logical  Operations 

Logic  Event  Input  Output 

->- 

AND  x.     for    all    i    s.t.     (v.,v.)  e    L  n    x. 

l  in  .1 

J  l 

OR  x.     for   all    i    s.t.     (v.,v.)  e    L         1    -    n(l  -x.) 

l  l'    j  i  l 


/ 1    for    y    x . 
I  i      * 


>k 


K-out-of-N  x.     for    all    i    s.t.     (v., v.)     e    L 

1  X       J  I  v 

\  0    for    >    x.    <k 

h       l 

l 

NOT  x.  1    -    x. 

l  l 


Logic  types  included  in  T  are  AND,  OR,  NOT,  and  (at  least) 
K-out-of-N.   Other  logic  types  are  possible,  but  these  are 
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the  most  commonly  encountered  in  fault  tree  models.   In  fact, 
all  structure  functions  can  be  represented  using  only  logic 
types  AND,  OR,  and  NOT.   NOT  events  will  always  have  an  out- 
degree  and  in-degree  of  one,  and  their  presence  implies  a 
noncoherent  system.   Figure  1-1  displays  the  symbols  for 
events  to  be  discussed  in  this  thesis.   This  thesis  will  only 
consider  these  event  types  since  they  are  the  most  common, 
and  the  algorithm  developed  using  these  event  types  can  be 
easily  extended  to  other  types. 

An  event    tree    is  a  generalization  of  a  fault  tree  in  which 
system  operation  or  failure  can  be  represented.   Event  trees 
representing  failures  are  usually  referred  to  as  fault  trees. 
There  are  no  structural  or  computational  differences  between 
fault  trees  and  event  trees,  and  the  term  "fault  tree"  is 
used  throughout  this  thesis.   Another  representation  of  a 
binary  system  which  is  used  is  the  reliability    network .   This 
representation  is  not  considered  here  since  it  does  not  lend 
itself  to  modeling  general  binary  systems  [Ref.  17]. 

A  module    is  a  set  of  basic  events  which  behave  as  one 
event.   Consider  a  binary  system  (C,$)  with  A  <=_   C,  and  let 
x  =  (x A/X— )  .   If  $(x)  =  $'  ($"  (x.)xr-)  ,    for  structure  functions 
$'  and  $",  then  (A,<f>")  is  a  module  [Ref.  16:  p.  16]. 

A  module  in  a  binary  system  can  often  be  directly  recog- 
nized in  a  fault  tree.   Consider  the  graph  H  derived  from  F 
and  a  specified  vertex  v..   If  H  is  connected,  and  H-v .  is 

:  : 

disconnected,  then  v.  is  a  cut    vertex,    and  e .  is  a  out    event. 
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WI@  o 


AND 


OR  2-OUT-OF-3  NOT  BASIC 


Figure  1-1    Logic  Events 
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H  -v.  =  {HQ,H, ,H2, . . . ,H.  } ,  where  each  H.  is  connected  for  all 

i,  but  there  is  no  connection  between  H.  and  H.  for  i  4    i, 

1       j        '  J 

and  where  H_  contains  the  vertex  corresponding  to  the  top 

event  of  F.   Let  H.  =  (V^,L. )  ,  and  E^^  =  {e£:  e£  =  (v£,t£) 

for  all  vc  e    V.}.   Then,  F.  =  (E.  +  e.,L.  u  {JL.  eL:  v,  eV.}) 

is  an  F-module    for  i  =  l,2,...,k  with  cut  event  e..   The 

non-null  union  of  any  combination  of  these  F.  is  also  an 

F-module  with  cut  event  e . . 

3 

Consider  the  F-module  F'  =  (E',L')  in  F.   Let  e.  e  E 

be  any  event  connected  into  the  cut  event  e .  by  links 

-> 
I . .  e  L.   If  e.  e  E1  for  all  i,  then  e.  is  an  F-module    top, 

and  F'  is  a  simple    F-module .       If  separated  from  F,  a  simple 

F-module  with  an  F-module  top  has  the  same  properties  as  a 

fault  tree.   The  cut  event  of  a  general  F-module  may  have  other 

e.  connected  into  it  where  e.  /  E'.  and  therefore  does  not 
l  l      ' 

necessarily  possess  all  the  fault  tree  properties.   F  is 

always  an  F-module  of  F.   Any  other  F-module  in  F  is  a  proper 

F-module .   An  F-module  is  trivial    if  it  contains  only  one  or 

more  unreplicated  basic  events  plus  the  cut  event.   Any  F, 

whose  only  proper  F-modules  are  trivial,  is  a  prime    F-module . 

In  a  graph  H,  if  a  maximal  set  of  vertices  V"n  £  V  exists 

such  that  for  every  distinct  subset  of  three  vertices 

(v.,v.,v,  }  c  \/   there  exists  a  path  between  v.  and  v.  not 
l   j   k  —  0  r  i      j 

containing  v,  ,  then  vn  is  a  biconneoted   oomponent     [Ref.  18: 

K  (J 

p.  179] .   If  all  paths  from  any  v.  e  V-  to  any  v,  /  Vn  must 
pass  through  the  same  vertex  v .  e  V„  for  i  ^  j,  then  v.  is 
a  cut  vertex  of  Vn . 
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Computation  of  any  problem  on  a  digital  computer  requires 
time  and  storage.   Let  f  be  some  function  of  the  size  of  the 
fault  tree  such  as  f(|E|)  or  f ( | L | ) .   Then  let  0(f)  be  a 
known  linear  function  of  f  which  provides  an  upper  bound  on 
some  requirement  for  the  problem.   0(f)  is  the  algorithmic 
complexity    of  the  problem  for  the  specific  requirement.   If 
the  requirement  is  space,    then  0(f)  denotes  the  storage 
requirement  in  terms  of  the  problem  size,  while  if  the  require- 
ment is  time,    it  denotes  the  CPU  time  required  in  the  same 
terms . 

Although  not  utilized  in  this  study,  later  reference  will 
be  made  to  other  fault  tree  algorithms  which  utilize  cut 
sets  and  path  sets.   A  cut    set    is  a  set  of  basic  events  whose 
occurrence  ensures  occurrence  of  the  top  event.   A  cut  set 
is  minimal    if  no  event  can  be  removed  while  still  ensuring 
occurrence  of  the  top  event.   A  path    set    is  a  set  of  basic 
events  whose  nonoccurrence  ensures  nonoccurrence  of  the  top 
event.   [Ref.  16:  p.  9]   (This  terminology  originates  from 
network  reliability.) 

B.   PROBLEM  DEFINITION  AND  COMPLEXITY 

The  objective  of  this  thesis  is  to  develop  an  efficient 
algorithm  to  compute  g(p),  the  probability  of  the  top  event 
of  a  fault  tree.   It  is  assumed  that  a  probability  p.  for 
each  basic  event  in  F  is  known.   However,  assignment  of  a 
probability  p .  to  a  basic  event  is  only  correct  when  certain 
assumptions  about  the  modeled  system  can  be  made.   These 
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assumptions  are  valid  for  the  three  categories  of  systems 
described  below. 

The  first  category  is  the  set  of  non-repairable  systems. 
In  this  case  p.  =  F. (t)  is  the  probability  that  component  i 
has  failed  by  time  t  [Ref .  19] .   System  failure  by  time  t 
then  is  g(F(i)) .   A  tactical  aircraft  on  a  mission  is  an 
example  of  a  non-repairable  system  where  the  interval  (0,t) 
represents  the  time  span  from  takeoff  to  landing. 

The  second  category  is  the  set  of  systems  for  which  com- 
ponent "up"  and  "down"  times  form  independent  renewal  processes 
[Ref.  19].   Here,  D.  is  the  component  "down"  time,  and  U. 
is  the  component  "up"  time.   The  probability  that  component  i 
is  "down"  or  in  a  failed  state  at  a  given  instant  of  time  and 
the  proportion  of  time  that  i  will  spend  in  a  "down"  state 
are  both  given  by 


E(Di) 

Pi   =   E(Ui)  +E(Di) 


An  example  of  this  type  of  system  is  an  electrical  power 
generating  station  which  runs  continuously. 

The  final  category  of  failures  is  point  failures. 
failures    are  realized  if  a  system  fails  to  activate  when  its 
"on"  switch  is  engaged.   In  this  case  p.  and  g(p)  are  simply 
the  probabilities  that  component  i  and  the  system,  respectively, 
fail  to  activate.   Point  failure  is  a  fair  assumption  for 
modeling  the  probability  that  an  aircraft  to  be  flown  on  a 


19 


mission  fails  to  pass  the  pre-flight  safety  checks  and  conse- 
quently cannot  begin  the  mission. 

Let  g(p)  denote  the  probability  of  the  top  event  in  a 
fault  tree,  and  let  g.(p)  denote  the  probability  of  occurrence 
of  an  intermediate  event  i.   In  a  fault  tree  without  repli- 
cated events,  computation  of  g(p_)  is  easy.   Since  the  top 
and  intermediate  events  are  represented  by  logic  events,  e., 
their  probability  can  be  computed  directly  if  the  events,  e., 
for  all  i  s.t.  (v., v.)  e  L  are  all  mutually  independent  and 
have  known  probabilities.   The  equations  used  to  compute  these 
probabilities  are  found  in  Table  1-2. 


TABLE  1-2 
Logic  Event  Probabilities 

Event  Type  Computation 

AND  g- (p)   =   n  p. 

-1         i  1 

OR  g.  (p)   =   1  -  11(1  -p.  ) 

J  "  i      X 

2-out-of-3        g.  (p_)  =  PXP2P3  +  (l-p1)p2P3  +p±  (l-p2)p3 

+  P1P2(1-P3) 
NOT  g  (p)   =   1  -  Pi 

Hwang  [Ref.  20]  and  Shanthikumar  [Ref.  21]  provide  recursive 
algorithms  for  general  K-out-of-N  systems  which  operate  in 
polynomial  time.   Using  these  equations  g(p)  can  be  found  by 
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computing  g. (p)  at  each  logic  event  from  the  bottom  of  the 
fault  tree  to  the  top  event.   This  procedure  can  be  used  in 
any  fault  tree  without  replicated  events.   Computation  of 
top  event  probability  for  a  fault  tree  in  this  case  can  be 
accomplished  in  time  0(|L|)  in  space  0(|l|).   (Since  H  is 
assumed  connected,  |  L  |  _>  |e|  -  1,  and  0(|E|  +  |l|)  is  effec- 
tively 0 ( | L | ) . )   Referring  to  Figure  l-2a,  F  is  searched  from 
the  top  event  downward,  i.e.,  following  H.   When  an  intermedi- 
ate event  which  has  only  basic  input  events  is  found,  the 
probability  of  the  intermediate  event  is  computed,  and  it 
becomes  a  basic  event.   The  search  continues,  gradually 
reducing  all  intermediate  events  to  basic  events  in  a  back- 
tracking procedure  until  the  top  event  probability  is  computed 
These  reductions  are  simple    reductions ,  and  a  formal  algorithm 
to  perform  them  is  given  in  Chapter  II. 

The  assumption  of  independence  among  input  events  which 
allows  simple  reductions  cannot  be  made  throughout  a  fault 
tree  containing  replicated  events.   Any  two  events  e.  and  e. 
which  are  on  separate  directed  paths  from  the  same  replicated 
event  e,  cannot  be  assumed  to  be  independent  since  the  states 
of  e.  and  e.  both  depend  on  e,  .   Replicated  events  complicate 
the  computation  of  top  event  probability.   In  fact,  Rosenthal 
showed  the  problem  of  computing  g(p)  for  a  fault  tree  F 
containing  replicated  events  to  be  a  member  of  the  class  of 
nondeterministic  polynomial  hard  (NP  hard)  problems  [Ref.  22]. 
Consequently,  no  algorithm  exists  or  is  likely  to  be  developed 
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a.  Without  Replicated  Events 


AV  ^ 


o  o 


b.     With  Replicated  Events 


Figure   1-2        Fault   Trees 
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to  compute  g(p_)  in  time  bounded  by  a  polynomial  function  of 
the  number  of  events  [Ref.  23:  p.  113].   The  best  known  upper 
bound  on  time  for  any  algorithm  to  solve  g  (p_)  is  an  exponen- 
tial function  of  the  problem  size.   The  best  known  bound  on 
space,  however,  is  polynomial. 

Despite  the  inherent  exponential  complexity  of  the  prob- 
lem, it  is  still  possible  to  exactly  compute  g(p)  for  many 
moderate  sized  fault  trees.   It  is  the  purpose  of  this  study 
to  take  advantage  of  structural  properties  of  fault  trees 
to  extend  the  range  of  problems  for  which  exact  probabilities 
can  be  computed.   The  method  described  for  use  in  a  fault 
tree  with  no  replicated  events  will  be  useful  as  a  subroutine 
in  a  more  general  algorithm. 

C.   COMPUTATIONAL  METHODS 

Several  different  exact  and  approximate  methods  for 
probabilistic  analysis  of  fault  trees  have  been  developed 
for  fault  trees  with  replicated  events.   Most  of  these  methods 
ignore  the  topological  structure  of  the  fault  tree  while  rely- 
ing on  cut  set  enumeration  to  compute  g(p) .   Because  of  the 
inefficiency  of  these  methods,  exact  values  of  g(p)  are  not 
computable  for  large  systems  and  must  be  approximated  by  use 
of  upper  and  lower  bounds  or  Monte  Carlo  simulation. 

1.   Existing  Methods 

Current  methods  for  computing  g  (p_)  for  binary  systems 
represented  as  fault  trees  can  be  placed  into  two  categories , 
those  using  cut  sets  and  those  not  using  cut  sets.   Methods 
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which  use  cut  sets  include  "inclusion-exclusion"  [Ref.  24: 
p.  98-101],  "sum  of  disjoint  products"  [Refs.  25,26J,  and 
" Z II "  [Ref.  27]  .   A  common  requirement  of  these  methods  is  the 
enumeration  and  storage  of  all  cut  sets.   The  number  of  cut 
sets  in  a  binary  system  can  be  exponential  in  the  size  of 
the  system.   Therefore,  for  a  large  system  these  methods  may 
be  limited  to  approximations  for  g(p).   Using  the  inclusion- 
exclusion  and  sum  of  disjoint  products  methods  the  generation 
of  all  terms  needed  for  computation  of  g(p)  is  exponential 
in  the  number  of  cut  sets.   Consequently,  for  both  of  these 
methods  the  complexity  is  exponential  on  an  exponential 
function  of  the  problem  size.   Most  methods  which  depend  on 
cut  sets  never  take  advantage  of  the  structure  of  the  systems 
they  model,  such  as  the  presence  of  modules  or  other  simpli- 
fying properties,  and,  consequently,  are  guaranteed  to  always 
require  large  amounts  of  time  and  space  to  compute  g(p) . 
ZII,  which  locates  independent  blocks  of  cut  sets  and  evalu- 
ates them  separately,  can  achieve  exponentially  better  effi- 
ciency than  the  sum  of  disjoint  products  methods. 

Two  methods  which  do  not  use  cut  sets  are  "PAFT  F77" 
[Ref.  28]  and  "reduced  state  enumeration"  [Ref.  2] .   These 
methods  are  based  on  the  fault  tree  model  of  a  binary  system. 
PAFT  F77  removes  all  replicated  basic  events  by  conditioning 
and  then  uses  simple  reductions  to  compute  g(p).   This  method 
does  not  allow  replicated  intermediate  events,  and  is 
guaranteed  an  actual  complexity  factor  which  is  exponential 
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in  the  number  of  replicated  basic  events.   Reduced  state 

enumeration  enumerates  the  states  of  each  replicated  event 

e.  over  any  cut  event  e..   Reduction  is  achieved  since  the 
1  D 

states  of  all  e.  below  e.  can  be  replaced  by  the  states  of 

e.  in  an  expression  for  the  states  of  some  e,  above  e.. 
3  k         j 

This  method  is  only  useful,  however,  when  no  prime  F-modules 
of  the  fault  tree  contain  a  large  number  of  replicated  events. 

Of  the  methods  discussed  above  only  PAFT  F77  takes 
advantage  of  topological  reductions  and  then  only  in  a  crude 
manner.   This  thesis  applies  probabilistic  structural  reduc- 
tions to  fault  trees.   Although  theoretical  complexity  remains 
exponential  in  the  number  of  replicated  events,  actual  com- 
plexity will  be  reduced  by  these  reductions. 
2 .   Recursive  Pivotal  Decomposition 

Let  g(F)  denote  the  system  failure  probability  for 
a  particular  fault  tree  F.   If  F  has  no  replicated  events, 
g(F)  may  be  computed  by  repeated  application  of  simple  reduc- 
tions.  When  F  is  reduced  to  a  single  basic  event  e., 
g(F)  =  p-.   If,  after  all  simple  reductions  have  been  made, 
F  is  not  reduced  to  a  single  event,  some  replicated  basic 
event  e.  must  remain.   From  the  theorem  of  total  probability, 
for  any  remaining  basic  event  e. 


g(p)   =   pig(li,p)  +  (1  -pi)g(Oi,£) 


for  a  binary  system.   This  is  the  equation  for  pivotal 
decomposition .   For  a  fault  tree  the  equation  becomes 
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whe 


g(F)   =   pig(F|xi  =1)  +  (1  -pi)g(F|xi  =0) 


=  Pig(F1)  +  (l  -Pi)g(F0) 


re  F,  is  a  fault  tree  derived  from  F  given  that  e.  has 


occurred,  and  Fn  is  a  fault  tree  derived  from  F  given  that 
e.  has  not  occurred.   If  simple  reductions  completely  reduce 
F-,  and  Fn ,  then  g(F,  )  and  g(F~)  are  computed,  and  g(F)  can 
then  be  computed.   If  not,  events  in  F,  and/or  Fn  are  selected 
for  conditioning,  and  the  procedure  is  repeated  recursively 
until  all  failure  probabilities  can  be  computed  through  simple 
reductions  or  until  conditioning  implies  g(F,|x.)  =  0  or  1 . 
Figure  1-3  shows  a  recursive  decomposition  of  a  fault  tree  F. 

Recursive  pivotal  decomposition  is  further  enhanced 
by  identification  of  proper  F-modules.   If  simple  reductions 

fail  to  reduce  F  to  a  basic  event  e.,  then  F  may  contain  a 

J 

non-trivial  F-module  F'.   If  F'  is  a  simple,  proper  F-module 
with  module  top  e.,  then  pivotal  decomposition  may  be  applied 
to  compute  g(Fl ) .   F  can  then  be  replaced  by  F  -F'  +e.  where 
t.  =  BASIC,  and  p.  =  g(F').   Using  this  modularization   an 
exponential  reduction  in  computation  can  be  achieved,  especially 
when  repeated  on  recursively  produced  fault  trees. 

For  small  fault  trees  pivotal  decomposition  may  be 
repeated  quickly  to  compute  g(F)  for  different  values  of  p 
when  necessary  as  in  the  constrained  reliability  maximization 
problem.   For  moderate  to  large-sized  fault  trees  it  may  be 
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Figure  1-3   Pivotal  Decomposition 
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possible  to  use  pivotal  decomposition  to  compute  g(F)  once 
in  a  reasonable  amount  of  time  but  not  multiple  times.   In 
this  case  it  is  possible  to  perform  the  simple  reductions  and 
pivotal  decomposition  on  F  without  actually  computing  the 
probabilities  in  the  process  but,  instead,  saving  each  equa- 
tion which  would  have  been  used  to  compute  probabilities. 
When  F  has  been  completely  reduced,  the  saved  equations  form 
an  expression  for  g(p_)  .   This  expression  may  now  be  used  for 
rapid  recomputations  of  g(p)  without  much  of  the  work  asso- 
ciated with  the  original  fault  tree  algorithm. 

Assuming  that  only  replicated  events  are  conditioned, 
time  complexity  for  pivotal  decomposition  combined  with 
simple  reductions  is  0(2  | L | )  for  g(F) .   This  is  true  since 
r  is  the  greatest  recursion  level  ever  required  to  condition 
r  replicated  events.   The  time  complexity  of  the  expression 
g(p)  will  be  identical  to  that  of  g(F)  since  g(p)  will 
merely  execute  the  computations  produced  in  equational  form 
by  g(F).   Actual  time  savings  will,  however,  be  realized  by 
execution  of  the  expression  g(p)  since  building,  storing, 
and  reducing  the  structure  of  F  is  unnecessary.   The  space 
complexity  of  storing  one  fault  tree  is  0 ( | L | ) .   For  each 
step  of  conditioning,  two  different  reductions  must  be  per- 
formed on  the  same  fault  tree.   To  do  this  a  copy  of  the  cur- 
rent fault  tree  must  be  created  and  stored  until  it  has  been 
completely  reduced.   At  the  rth  level  of  recursion,  r  copies 
of  the  fault  tree  are  being  stored.   Consequently,  the  space 
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complexity  for  g(F)  is  0(r|L|)  .   Space  complexity  for 
storage  of  the  expression  g(p_)  is  proportional  to  the 
time  complexity  of  g(F). 

Improvement  of  the  actual  time  required  to  compute 
probabilities  over  existing  methods  will  be  attempted  by 
taking  advantage  of  fault  tree  structure,  modularizing  when 
possible,  and  exploring  the  use  of  some  heuristics  for 
intelligent  conditioning. 
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II.   ALGORITHMS 

The  main  algorithm  performs  recursive  pivotal  decomposi- 
tion combined  with  simple  reductions  on  a  fault  tree.   The 
main  features  of  this  algorithm  and  its  supporting  elements 
are  presented  in  this  chapter.   F  will  be  used  to  denote  a 
fault  tree  with  a  probability  assigned  to  each  basic  event. 
For  notational  simplicity  let  |f|  denote  |e|  for  F  =  (E,L). 

A.   FAULTTREE 

Faulttree  is  the  primary  algorithm  used  in  this  thesis. 
(See  Figure  2-1.)   The  argument  F  is  a  simple  F-module.   In 
the  first  call  to  Faulttree,  F  is  the  original  fault  tree, 
but  in  all  subsequent  calls  it  is  an  F-module.   (It  will  not 
necessarily  be  a  proper  F-module.)   Faulttree  receives  F  as 
an  argument  and  returns  the  F-module  top  and  its  probability. 

Sreduce  performs  all  possible  simple  reductions  on  F, 
and  if  it  reduces  F  to  a  basic  event,  Faulttree  is  finished. 
Otherwise,  Faulttree  will  carry  out  further  reductions  using 
recursive  pivotal  decomposition.   Findmodule  searches  for  and 

returns  a  simple  F-module  Fn    in  F.   Also  returned  is  e . ,  the 

r  0        •  j 

F-module  top.   If  no  proper,  simple  F-modules  exist,  F«  =  F. 
F,,  a  copy  of  Fn  ,  is  produced  so  that  two  fault  trees  can  be 
conditioned.   At  the  end  of  the  "if"  block  Fn  remains  in  F 
but  as  a  basic  event  with  probability  given  by  the  pivotal 
decomposition  computation.   The  comments  "{dummy  1}"  and 
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algorithm  Faulttree  (F) ; 

input:   A  fault  tree  or  simple  F-module  F  with  associated 

basic  event  probabilities 
output:   The  top  event  of  F-module  top  e .  of  F  and  its 
probability  -1 

begin 

While  ( |F|  > 1)  do 
begin 

(F,p)  «-  Sreduce  (F)  ; 
if  i|f|  =1)  then  Return  (F,p) 
else 

begin 

(F0,ej)  «-  Findmodule  (F)  ; 

ei  *•  Select  (F0)  s.t.  t.  =  BASIC; 

fJ  «-  Copy  (FQ)  ; 

(FifPi)  *■  Condition  (F^e-,1); 

if  (  |  Fi  |  >1)  then  (e.^f  «-  Faulttree  (F,); 

{ dummy  1 }  ;  -1 

(F0,p0)  «■  Condition  (F0,eif0) ; 

if  (|F0|  >D  then  (ej,p0)  «■  Faulttree  (FQ)  ; 

?j  *  Pi?;  +  (1  -Pi}Po; 

{ dummy  2 } ; 
tj  f-  BASIC; 
F  +■  F  -  FQ  +  e  .  ; 
end  J 

end; 
Return  (F,p.) 
end;  ^ 


Figure  2-1   Faulttree 

"{dummy  2}"  mark  the  spots  where  equation  print  statements 
can  be  inserted.   This  cycle  of  Sreduce,  Findmodule,  and 
pivotal  decomposition  on  an  F-module  is  continued  until  all 
F-modules  are  completely  reduced. 

Significant  reductions  in  actual  run  times  should  be 
realized  through  the  use  of  modularization.   If  a  simple  F- 
module  can  be  located  with  s  replicated  events  in  a  fault 
tree  with  r  replicated  events,  then  reduction  methods 
can  be  applied  to  the  F-module  alone.   After  reducing 
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the  F-module  to  a  basic  event,  reductions  continue  on  the 

remainder  of  the  fault  tree.   Using  these  methods  the  original 

r  s     r — s 

complexity  factor  of  2   reduces  to  2   +  2    „   By  searching 

for  F-modules  and  independently  reducing  each  one,  much  time 

is  saved. 

Actual  storage  requirements  can  be  expected  to  be  well 
below  the  upper  bound  of  0(r|L|).   Actual  storage  could  only 
be  this  large  if  at  each  level  of  recursion  during  pivotal 
decomposition  a  copy  of  the  original  fault  tree  must  be  made. 
This  cannot  happen  since  at  least  one  and  frequently  many 
events  are  removed  at  each  conditioning  step,  thus  gradually 
reducing  the  size  of  the  fault  tree  as  the  level  of  recursion 
increases.   Additionally,  these  operations  are  being  performed 
on  F-modules.   Whenever  a  proper  F-module  is  found,  the  size 
of  the  copy  to  be  produced  and  stored  is  reduced. 

1 .   Sreduce 

This  algorithm  is  sufficient  for  completely  reducing 

F  if  it  contains  no  replicated  events.   Sreduce  is  shown  in 

Figure  2-2.   Sreduce  does  a  depth  first  search  in  H  to  find 

any  event  e.  with  only  unreplicated,  basic  events  directly 

below.   When  such  an  e .  is  found  it  is  reduced  to  a  basic 

D 

event,  g . (p)  is  computed,  and  all  of  the  unreplicated,  basic 
events  can  be  disposed.   As  the  algorithm  backtracks  to  the 
top  event,  each  F-module  which  has  no  replicated  events  is 
reduced  to  a  single  basic  event.   Upon  leaving  Sreduce,  the 
only  remaining,  non-trivial  F-modules  in  F  contain  replicated 
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algorithm  Sreduce  (F) ; 

input:   A  simple  F-module  F  with  associated  basic  event 

probabilities 
output:   If  fully  reduced,  the  F-module  top  with  its  proba- 
bility.  Else,  a  partially  reduced  F 

begin 

for  all  ej_  e    E  mark  e^  "reducible"; 
put  module  top  of  F  on  stack; 
while  stack  not  empty  do 
begin 

let  e.;  be  the  top  element  of  the  stack; 
For  each  untraversed  £-h  a    £  do 
begin 

traverse  £.jj_; 

if  e^  replicated  then  mark  ej  "irreducible"; 
if  e-j_  "reducible"  and  not  BASIC  then  put  e. 

on  stack  and  let  e.  «-  e .  ; 
end;  :    1 

remove  e.;  from  stack; 
if  e-;  "reducible"  then 
begin 

Pj  "*"  9J  (p)  an<^  mark  ej  BASIC; 
{dummy  3j; 
end; 
else  mark  top  element  of  stack  "irreducible"; 
end; 
if  (|f|  =  1)  then  Return  (  {e  .  ,<J>}  ,p  .  ) 
else  Return  (F,undef ined)    ^  ^ 

end. 


Figure  2-2   Sreduce 

events.   "{dummy  3}"  is  a  marker  for  inserting  the  print 
statements  for  g. (p) .   The  time  complexity  of  a  call  to 
Sreduce  is  0 ( | L | ) . 
2 .   Findmodule 

This  algorithm  is  a  modification  of  Hopcroft's  [Ref. 
18 :p.  185]  depth  first  search  for  biconnected  components. 
The  search  for  biconnected  components  is  effectively  carried 
out  in  H  -V  where  H  is  derived  from  F,  after  performing  all 
possible  simple  reductions,  and  V   is  the  set  of  unreplicated 
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basic  event  vertices.   As  a  result  only  F-modules  containing 
at  least  one  replicated  event  are  found.   Although  Findmodule 
locates  any  such  F-module,  it  returns  only  simple  F-modules 
to  Faulttree.   If  a  located  F-module  is  not  simple,  Findmodule 
will  restructure  it  into  a  simple  F-module  with  an  F-module 
top  or  perform  some  other  type  of  restructuring  before  return- 
ing it  to  Faulttree.   These  special  restructuring  procedures 
are  described  in  Section  C  of  this  chapter.   The  time  complex- 
ity of  this  routine  is  0 ( | L | ) .   Findmodule  terminates  as 
soon  as  an  F-module  is  located. 
3.   Conditioning 

Great  reductions  in  computation  can  be  obtained  by 
selective  conditioning  in  Faulttree.   After  locating  an 
F-module  F,  a  replicated  basic  event  e.  is  selected  for 
conditioning.   "Condition"  is  a  procedure  for  making  the 
associated  reductions  in  F  and  is  shown  in  Figure  2-3. 

Condition  also  uses  a  depth  first  search,  but  from 

the  replicated  event  outward,  transmitting  the  effect  of 

conditioning  on  the  replicated  event  to  other  events  in  F. 

The  search  is  conducted  in  (E,L  u L)  since  other  events  both 

above  and  below  an  event  to  be  removed  may  also  be  determined 

to  be  removable.   Condition  is  configured  for  AND,  OR,  NOT, 

and  2-out-of-3  gates.   However,  addition  of  other  types  is 

easy.   Any  event  to  be  removed  from  F  is  placed  into  the 

stack.   When  event  e.  is  removed  from  the  stack,  an  outward 

l 

search  is  conducted  to  find  any  other  events  to  remove  from 
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procedure  condition  (F,e^,x); 

input:   A  simple  F-module  F,  a  basic  event  e.  to  condition,  the 
state  of  the  condition  x  1 

output:   If  fully  reduced,  the  F-module  top  and  the  state  of 
the  top  event.   Else,  a  partially  reduced  F 

begin 

put  e^  on  stack ; 
while  stack  not  empty  do 
begin 

remove  e^  from  stack;  _^ 
for  all  ej  s.t.  i^-    e    L  do 
begin 

if  ((in-degree  (ej)  =1)  or  ((t.  =0R) 
and  (x=lj)  or  (  (t .  =  A$D)  and 
(x  =0)  )  )  then      3 
begin 

if  (e^  =  module  top  of  F)  then 
Return  (  {  ej  ,<f> }  ,x)  ; 
put  e .  on  stack ; 
if  tj-l=  NOT  then  x  +■  1-x; 
end 


end. 


else 


begin 

dispose  £j_j 

if  (tj  =  2-out-of-3)  then 

if  (x  = 1)  then  tj  =  OR 

else  t  .  =  AND; 
end 


end 


for  all  e.:  s.t.  I.       e  L  do 
begin      J 


if  ej  unreplicated  than  put  e.  on  sti 
else  dispose  i  .  .  ■" 


ack  ; 
else" dispo: 
end  J 


if  tj_  =  NOT  then  x  «-  1-x; 
dispose  e. 


i 
end 


Return  (F , undefined) 


Figure  2-3    Condition 


F.   If  events  are  not  to  be  removed,  their  links  to  e.  are 

l 

disposed.   An  event  which  is  unreplicated  and  connected  into 
e .  from  below  will  be  placed  into  the  stack  for  removal  from 
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F.   The  search  looks  upward  from  e.  to  events  e.  for  all 
I . .  e  L  and  performs  logic  checks.   For  example,  if  the 
state  variable  x  =  1,  and  t.  =  OR,  then  e.  is  placed  into  the 
stack.   NOT  events  change  x  to  1-x.   2-out-of-3  events  are 
transformed  into  AND  or  OR  events  depending  on  the  current 
value  of  x.   If  the  search  reaches  the  F-module  top  of  F, 
F  is  returned  as  a  basic  event  with  p  =  0  or  1 .   If  the  F- 
module  top  is  not  reached  in  the  search,  F  is  returned, 
partially  reduced  from  the  form  of  the  original  argument. 
The  time  complexity  of  this  search  is  0 ( | L | ) . 
4 .   The  Select  Procedure 

Printed  equations  can  be  used  for  multiple  executions 
of  top  event  probability  computations.   In  this  case,  condi- 
tioning on  basic  events  so  as  to  minimize  the  number  of 
equations  written  will  enhance  efficiency  even  if  the  running 
time  of  Faulttree  is  increased.   One  way  to  do  this  is  to 
develop  a  "good"  procedure  for  selecting  a  replicated  event 
e.  to  condition.   Various  heuristics  are  possible  such  as 
choosing  the  e.  with  greatest  out-degree  or  the  greatest  or 
least  distance  from  the  cut  event.   These  qualities  can  be 
determined  with  a  routine  in  0 ( | L | )  time.   A  theoretically 
stronger  heuristic  is 

min  (max | R  .  | ) 
e.£ER  j£J   3 

where  E   is  the  set  of  replicated  basic  events  in  F,  J  the 
set  of  biconnected  components  remaining  in  the  two  fault  trees 
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after  conditioning  e.,  and  R.  the  set  of  replicated  events 
in  biconnected  component  j .   A  "select  procedure"  was  imple- 
mented to  perform  this.   The  procedure  conditions  on  e. 
using  the  algorithm  Condition  and  creates  the  two  fault  trees 

F~  .  and  F, ..   Next,  a  depth  first  search  is  conducted  in  Fn . 
Oi       li  c  Oi 

and  F, .,  counting  the  replicated  events  |R. |  in  each  bicon- 
nected component  j.   The  biconnected  components  of  H|x. 
correspond  to  prime  F-modules  in  f|x.  and  to  components  which 
will  become  prime  F-modules  after  recursively  reducing  current 
F-modules.   The  maximum  |R.|  found  in  the  two  depth  first 

searches  of  F~  .  and  Fn  .  is  saved  for  each  e. .   These  steps  are 
Oi       li  l  r 

repeated  for  all  e.  e  E^,  and  that  e.  that  minimizes  |R. 
c  l     R  l  '  j  ' 

is  chosen  for  conditioning.   This  heuristic  myopically  mini- 
mizes  the  upper  bound  factor  max  2   J   over  all  F-modules  and 
components  which  will  become  F-modules. 


B.   FAILURE  PROBABILITY  FUNCTION 

A  second  version  of  Faulttree  was  modified  to  print  a 
set  of  equations  which  represent  the  failure  probability 
function  g(p).   All  algorithms  remain  the  same  except  that 
probability  computations  are  replaced  with  "print  statements." 
These  statements  are  inserted  in  Faulttree  and  Sreduce  in 
the  spots  marked  by  "dummy"  comments.   Since  numerical  compu- 
tations are  correctly  ordered,  so  must  be  the  printing  of 
the  equations.   Faulttree  must  create  an  extra  variable  and 
print  an  equation  for  storing  the  probability  of  the  top 
event  for  F,  since  its  normal  storage  space  will  be  overwritten 
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by  the  probability  of  the  top  event  for  F0 .   "Dummy  1"  is 
replaced  by  a  statement  to  print  the  equation  which  stores 
the  conditional  probability  in  this  extra  variable.   The 
pivotal  decomposition  equation  is  printed  by  a  statement  in 
the  line  marked  by  "Dummy  2."   Table  2  shows  the  statements 
to  be  substituted  for  "Dummy  1"  and  "Dummy  2"  in  Faulttree. 

TABLE  2 
Printing  Equations 

Block  Statement 

Dummy  1  XP [ j ]  : =P  [  j ]  ; 

Dummy  2  P [ j ] :=P [i] *XP [ j ]  +  ( 1  - P  [ i ] ) *P  [  j ]  ; 

In  the  table,  j  is  the  index  of  the  F-module  top  while  i  is 
the  index  of  the  event  conditioned.   In  Sreduce  "Dummy  3" 
is  replaced  by  a  statement  giving  the  equation  for  g  .  (p)  . 
In  this  case,  the  printed  statement  assigns  a  value  to 
"P[j]"  by  writing  on  the  right  hand  side  of  the  equation  a 
function  of  the  basic,  unreplicated  events.   The  function  to 
be  printed  is  dependent  on  t.  and  is  taken  from  Table  1-2. 

Although  execution  of  g(p)  is  0(2  |l|)  just  like  the 
computation  of  g(F),  actual  time  should  be  much  less.   Storage 
is  also  0(2  |L|),  an  increase  from  the  storage  required  for 
direct  computation  of  g(F).   Storage  of  variables  in  g(p_)  is 
only  0(r+N) .   Recall  that  r  is  the  number  of  replicated 
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events  which  also  yields  the  maximum  level  of  recursion,  and 
N  is  the  total  number  of  events  in  the  fault  tree.   The  r 
term  results  from  creating  an  extra  variable  at  each  level 
of  recursion  to  store  conditional,  top  event  probabilities. 
The  number  of  equations  written  is  directly  related  to  the 
time  complexity  of  computing  g(F).   The  total  storage  require- 
ments are  therefore  of  the  same  order  as  the  time  complexity 
of  Faulttree,  i.e.,  exponential.   In  practice,  it  is  hoped 
that  the  number  of  equations  produced  is  small  enough  that 
they  can  be  evaluated  efficiently. 

C .   ENHANCEMENTS 

Proper  application  of  Faulttree  requires  that  F,  whether 
an  F-module  or  a  fault  tree,  possess  the  properties  of  a 
fault  tree.   A  general  F-module  does  not  necessarily  meet 
this  requirement  while  a  simple  F-module  always  does.   Two 
enhancements  to  Findmodule,  "event  splitting"  and  "recon- 
figuration," are  methods  of  dealing  with  non-simple  F-modules 
Event  splitting  can  be  applied  to  an  F-module  with  a  cut 
event  of  type  AND  or  OR  while  reconfiguration  is  used  for  a 
cut  event  of  type  2-out-of-3.   The  last  enhancement  reduces 
the  number  of  equations  produced  by  handling  some  simple 
reductions  implicitly. 

1 .   Event  Splitting 

When  Findmodule  locates  a  simple  F-module  F'  with  its 
F-module  top  e,  ,  F'  and  e,  are  returned  immediately  to  Fault- 
tree.   If  F1  is  not  simple,  and  t,  =  AND  or  OR,  then  event 
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splitting   may  be  applied.   Since  F'  is  not  simple,  e.  {   E' 
must  be  linked  into  e,  by  £.,  £   L'.   "Split"  e,  into  two 
events  e,   and  e,   such  that  t,   =  t,   =ti<-/^,k^  =  ^'k 
£..  eL'},  and  {£.,  }  =  {£.,:  £.-•£■}  +  &,  .  .   A  simple 

IK  1K«         IX     IK  K-.K- 

F-module  F  is  formed  by  F  =  F1  -e,  +e,   where  e,   is  the 

\   Kl        kl 
F-module  top.   Findmodule  returns  F  to  Faulttree.   Event 

splitting  works  since 


x,    n  x.  n  • . . .  .   n  x        =      x     n  (x,   , ,    n  x,  i0  n  ,  .  .  .  ,    nx    ) 
1        2  '         n  o  k+1        k+2  n 


for 


xn      =      x,   n  x0  n  .....  n  x, 
0  12k 


and   since 


x.    u  x~   u  ,  . 


••'    UXn      =      x0  u  (xk+l  uxk+2  "  "'"    uxn) 


for 


X-    =    X,  U  X„  U  ,  .  .  .  ,  U  X, 


Figure  2-4  shows  the  structural  changes  made  to  the  fault 
tree  by  event  splitting. 
2 .   Reconfiguration 

For  a  cut  event  e,  of  F-module  F1  with  t,  =  2-out- 
of-3,  three  events  e.  are  linked  into  the  cut  event  e,  of 
F'.   H'  is  a  biconnected  component  of  H  (ignoring  unreplicated 
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r^A 


o  o  o 


Figure  2-4   Event  Splitting 
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basic  events)  with  cut  vertex  v,  .   If  F'  is  not  simple,  then 

since  v,  e  H '  exactly  two  of  the  e.  e  E',  leaving  one 

e.  I   E'.   Let  the  two  events  in  E'  be  denoted  e.   and  e.   and 

ix       i2 

let  e.  /  E'  be  denoted  e.  .   The  possible  states  of  the  pair 

1  13 

{e.  ,e.  }  are  (1,1),  (1,0),  (0,1),  and  (0,0)  of  which  (1,0) 

11   12 
and  (0,1)  are  indistinguishable  to  e,  .   F'  will  be  replaced 

by  e,  and  two  basic  events  which  will  give   an  equivalent 

representation  of  the  probability  information  stored  in  F'. 

To  compute  the  needed  probabilities  a  new  top  event  e . 

independent  of  F  is  created.   The  links  I .    ,  and  I.    .     are 

i1K       i2K 

removed,  disconnecting  F'  -e,  from  F.   Links  I .     ■    and  I .     . 

are  formed  to  connect  F'  -e,  to  e .  via  the  pair  {e.  ,e.  } 

*      ^       .  Xl   X2 

forming  the  new  fault  tree  F.   For  e.  e    E  let  t.  =  AND  and 

:         3 

call  Faulttree  to  obtain 


P(l,l)   =   (g  (p)  |t  =AND) 


Let  t .  =  OR  and  call  Faulttree  to  obtain 


P((l,l)  u  (1,0)  u  (0,1))   =   (g  (p) |t.  =OR) 


e,  is  given  a  new  event  type  which  denotes  a  "reconfigured" 

event  with  nonhomogeneous  inputs.   Two  new  basic  events  e„ 

and  e    are  attached  into  e,  by  Z      v,^0  v    e  L.   p0   =  P(l,l) 

while  p   =  P((1,0)  u(0,l))  given  by 
*2 


P((1,0)  u(0,l))   =  P((l,l)  u  (1,0)  u  (0,1))  -  P ( 1 , 1 ) 
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F  =  F  -F'  +e,  +e„   +  e.  .   Future  computation  for  g,  (p_)  will 


use 


9k(R)   ■   P£i  +  ^"Pi^Pi^i  <E) 


Figure  2-5  exhibits  the  resulting  structural  modification 
to  the  fault  tree. 
3.   Replacement 

Another  enhancement  made  was  a  change  to  Sreduce. 
Instead  of  computing  g.(p)  for  a  logic  gate  e.  with  only  a 
single  basic  event  e.  below,  e.  can  simply  be  replaced  by  e . , 
i.e.,  e.  +■  e.,  p.  «-  p.,  and  dispose  e..   This  is  especially 
helpful  in  forming  the  expression  for  g(p_)  since  one  equation 
is  eliminated  each  time  this  replacement    is  made. 
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rR  denotes  reconfigured  event 


Figure  2-5   Reconfiguration 


44 


III.   IMPLEMENTATION  AND  COMPUTATIONAL  RESULTS 

The  computer  codes  for  all  programs  are  written  in 
Berkeley  3.0  Pascal  to  take  advantage  of  the  recursive  feature 
of  this  language.   All  tests  on  these  programs  were  conducted 
on  a  VAX  11/780  computer  under  the  Berkeley  4.0  Unix  operating 
system.   The  main  algorithm  of  the  previous  chapter  was 
transformed  into  the  dual  purpose  program  "Faulttree"  which 
can  be  used  to  directly  compute  g(F)  or  produce  a  subroutine 
containing  the  equations  for  g(p_). 

A.   DATA  STRUCTURES 

The  data  structure  used  to  represent  the  fault  tree  is 
effectively  (E,L  u L) .   That  is,  both  upward  and  downward 
pointing  links  are  maintained  out  of  each  event.   Some  storage 
could  have  been  saved  using  only  (E,L)  and  creating  L  when 
needed,  but  this  would  have  greatly  increased  the  complexity 
of  the  program.   Maintaining  both  L  and  L  allowed  flexibility 
for  the  various  types  of  searches  conducted  in  F  during  reduc- 
tions  and  other  operations.   A  depth  first  search  using  (V,L) 
is  performed  in  the  simple  reduction  subroutine  "Sreduce," 
a  depth  first  search  using  (V,L  u L)  is  performed  in  the 
subroutine  "Condition,"  and  a  depth  first  search  using  (V,L) 
is  performed  in  the  subroutine  "Findmodule"  where  (L  i  L) 
is  used  to  simulate  L.   The  use  of  (V,L)  was  especially 
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convenient  in  Condition.   This  allowed  a  depth  first  search 
to  remove  events  by  starting  at  the  basic  event  being  con- 
ditioned rather  than  beginning  the  search  at  the  top  event 
which  would  require  more  time. 

Because  pivotal  decomposition  and  other  algorithms  used 
deal  with  dynamic  fault  trees  by  restructuring  and  making 
reductions,  the  internal  data  structure  for  the  computer 
program  should  facilitate  changes  to  F.   This  facilitation 
was  accomplished  by  the  use  of  linked  lists  to  represent 
the  events  and  links  of  F.   Two  features  available  in  Pascal 
which  were  useful  for  storing  these  linked  lists  are  "records" 
and  "pointers."   Two  types  of  records  were  designated  event 
records    and  link   records .      A  record  allows  the  storage  of 
different  data  types  within  a  single  entity.   Integers,  reals, 
arrays,  and  other  types  can  be  stored  simultaneously  in  each 
record.   Two  pointer  types  were  designated  event    record 
pointers    and  link   record  pointers ..   The  pointers  were  used 
to  connect  events  and  links  in  the  computer  representation 
of  the  fault  tree,  and  were  also  used  to  move  from  one  event 
to  another  during  searches  through  F. 

Tables  3-1  and  3-2  list  the  information  stored  in  event 
and  link  records. 

An  event  record  is  created  for  each  e.  in  F .   Each  event 

1 

record  has  an  up    pointer   and  a  down   pointer .   The  up  pointer 

points  to  the  first  link  of  a  set  of  links  equal  in  number 

to  the  out-degree  of  e..   Each  link  is  connected  to  the  next 

l 
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TABLE  3-1 
Event  Record 


Variable 

identity 

type 

up  pointer 

down  pointer 

probability 
(optional) 


Data  Type 

integer 

integer 

pointer  to  link  record 

pointer  to  link  record 

real 


TABLE  3-2 
Link  Record 


Variable 
event  pointer 
next  link 


Data  Type 

pointer  to  event  record 

pointer  to  link  record 


link  by  the  variable  next    link.      Every  link  in  the  data 

structure  points  to  an  event  record  via  the  variable  event 

■pointer .   The  event  records  pointed  to  represent  the  e. 

which  are  linked  from  e.  by  {£..:  I . .  eL}.   The  down  pointer 

i       ID    ID 

points  to  the  first  link  of  a  set  of  links  equal  in  number 
to  the  in-degree  of  e..   These  links  are  joined  to  one  another 
in  the  same  way,  and  each  points  to  an  event  record  repre- 
senting  an  e,  which  is  linked  into  e.  by  \Z,-:    £,.  e  Li . 

K  1         K 1     K 1 

Figure  3-1  gives  a  visual  representation  of  this  structure. 
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Figure  3-1   Linking  of  Events 
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Because  of  this  data  structure,  it  is  easy  to  change  the 
fault  tree  during  a  search.   Reductions  can  be  made  by  delet- 
ing a  link  and  reconnecting  the  links  on  either  end  of  it, 
or  by  setting  pointers  to  "nil."   Event  types  or  identifications 
can  be  changed  or  newly  computed  basic  event  probabilities 
stored.   (Probabilities  only  need  to  be  stored  in  event 
records  when  direct  computation  of  system  failure  probability 
is  performed. ) 

B .   PROGRAMMING 

Another  feature  of  Pascal  which  was  useful  was  its  ability 
to  call  procedures  recursively.   This  capability  was  used 
for  pivotal  decomposition  so  that  recursive  calls  could  be 
made  in  the  program  Faulttree  until  F  was  reduced  completely. 
Although  recursion  could  have  been  used  in  some  subroutines, 
it  uses  more  time  and  storage  [Ref.  29:  p.  300]  than  non- 
recursion  and  therefore  was  used  only  for  pivotal  decomposition. 

In  Pascal,  records  may  be  created  and  destroyed  over  the 
course  of  a  program  so  that  storage  is  only  used  when  needed. 
This  can  be  accomplished  by  use  of  the  embedded  functions 
"new"  and  "dispose."   Some  conservation  of  storage  must  be 
utilized  in  Faulttree  when  solving  any  large  problems.   Using 
new  when  making  a  copy  of  F  and  dispose  during  the  reductions 
on  F  is  one  way  to  conserve  storage.   This  way  is  time  con- 
suming, however,  since  invoking  new,  slows  the  program,  and 
extra  searches  which  would  otherwise  be  unnecessary  are  re- 
quired to  reach  all  events  and  links  for  disposals.   To 
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minimize  storage  and  time  concurrently,  two  arrays  were 
created  at  the  beginning  of  the  program,  one  to  store  event 
records  and  the  other  to  store  link  records.   All  records 
needed  for  the  entire  program  are  created  and  placed  into 
these  arrays.   Records  are  re-used  from  these  arrays  by  saving 
the  index  of  the  last  record  currently  in  use.   Whenever  a 
new  record  is  needed  it  can  be  taken  from  the  next  point  in 
the  array  beyond  the  index.   Prior  to  making  a  copy  of  F  in 
Faulttree,  the  current  value  of  the  index  is  saved  in  another 
variable.   This  copy  of  F  is  then  produced,  increasing  the 
index  value.   The  copy  is  passed  as  an  argument  to  Faulttree. 
Upon  return  from  -Faulttree  the  copy  is  no  longer  needed,  and 
the  index  can  be  reset  to  its  prior  value.   Meanwhile,  as 
reductions  are  made  in  Sreduce  and  Condition,  the  program 
effectively  "burns  bridges"  by  setting  pointers  to  nil  where 
events  beyond  these  pointers  are  to  be  removed. 

F-modules  are  dealt  with  directly  without  being  discon- 
nected or  removed  from  F.   Faulttree  and  its  subroutines  pass 
arguments  in  the  form  of  F-modules.   This  is  actually  accom- 
plished in  the  program  by  passing  a  variable  containing  a 
pointer  to  the  F-module  top.   The  subroutines  treat  the  F- 
module  as  a  fault  tree  by  never  searching  above  the  F-module 
top. 

In  the  subroutines  Sreduce  and  Condition,  some  sections 
of  the  code  were  written  in  block  format.   That  is,  sections 
of  code  can  be  removed  or  inserted  depending  on  the  event 
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types  to  be  represented  in  the  fault  tree.  These  blocks  will 
make  it  easy  to  modify  this  program  for  use  of  other  specific 
event  types  by  insertion  of  the  proper  blocks  of  code. 

C.   INPUT  AND  OUTPUT 

The  input  for  Faulttree  is  a  data  file  describing  F. 
The  first  line  of  the  data  gives  integer  values  for  the  number 
of  events  and  the  highest  event  identification  number.   The 
remainder  of  the  file  gives  the  detailed  event  data.   Each 
event  occupies  two  lines  of  the  file.   The  first  line  gives 
three  integers:   event  identification,  event  type,  and  number 
of  events  directly  below.   The  second  line  lists  the  events 
below  by  identification  or  gives  event  probability  for  a  basic 
event.   Figure  3-2  is  a  sample  input  data  file. 

Faulttree  outputs  either  the  system  failure  probability 
or  a  set  of  equations  forming  an  expression  for  g(p_)  .   This 
expression  is  in  the  form  of  a  three  part  Pascal  program 
"FTE"  (Fault  Tree  Expression) .   Faulttree  prints  the  heading 
"FTE-heading"  and  a  subroutine  "TEP"  (Top  Event  Probability) 
for  FTE  while  the  main  program  "FTE-main"  is  kept  permanently 
on  file.   TEP  contains  the  equations  which  are  printed  by 
Faulttree  in  reducing  F.   It  is  configured  to  receive  the 
argument  p  from  FTE-main  and  return  g(p).   TEP  and  FTE-main 
use  variables  and  arrays  declared  in  FTE-heading.   FTE- 
heading  is  printed  by  Faulttree  after  reductions  on  F  are 
complete.   Two  arrays  are  declared  in  the  heading.   The 
primary  array  has  a  component  for  each  event  in  F  plus  any 


51 


8  9 

13  3 

2  3  4 

2  2  2 

5  6 

3  2  2 

6  7 

4  2  2 

7  9 

5  10 
0.001 

6  10 
0.001 

7  10 
0.002 

9  10 
0.002 

Figure  3-2    Sample  Input  Data  File 

other  dummy  events  which  may  have  been  created  during  event 
splitting  or  reconfiguration.   The  secondary  array  is  used  in 
pivotal  decomposition  to  store  the  conditional  probability 
for  an  event  while  a  probability  is  computed  for  the  same 
event  given  the  opposite  condition.   The  size  of  this  array 
is  no  greater  than  the  deepest  recursion  level  of  Faulttree. 
The  heading  is  printed  after  TEP  since  array  sizes  for  FTE 
are  not  available  in  Faulttree  until  F  has  been  completely 
reduced.   FTE-main  is  a  routine  which  reads  p  from  the  input 
data  file  and  invokes  TEP  to  compute  g (p) .   When  FTE-heading, 
TEP,  and  FTE-main  are  combined  to  create  FTE ,  FTE  is  ready  to 
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be  compiled  and  executed.   FTE  reads  from  the  same  data  file 
that  Faulttree  reads  but  only  extracts  the  values  for  p_  in 
the  process.   FTE  outputs  the  probability  of  the  top  event 
but  can  be  usefully  configured  to  compute  event  importances 
or  perform  other  computations  which  require  g(p_). 

D.   PROGRAM  TESTING 

Faulttree  was  tested  on  four  fault  trees,  two  of  which 
are  hypothetical,  "Exampl"  and  "Examp2,"  and  two  of  which  are 
actual  models  of  systems  used  in  practice.   One  system, 
"Aircraft,"  represents  the  combat  attrition  of  a  single 
aircraft  while  another,  "Nuke,"  represents  a  nuclear  reactor 
accident.   Input  data  files  were  created  for  the  four  fault 
trees,  and  Faulttree  was  executed  for  each  to  directly  com- 
pute g(F) .   Faulttree  was  again  executed  for  each  data  file 
to  produce  four  versions  of  FTE.   Descriptions  of  the  fault 
trees  and  data  from  test  runs  are  given  in  Table  3-3. 


TABLE 

3- 

-3 

Test 

Runs 

Exampl 

Examp2 

Aircraft 

Nuke 

events 

64 

79 

105 

339 

rep.  events 

7 

15 

4 

59 

CPU  time 

0.001 

0.371 

0.001 

events  stored 

112 

330 

178 

2586 

FTE  equations 

36 

102 

51 

153,733 

FTE  CPU  time 

0.000 

0.033 

0.000 
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Nuke,  described  in  the  table,  is  actually  a  revised  version 
of  the  original  data.   The  original  data  contained  345  events 
of  which  65  were  replicated.   Further  explanation  of  the 
modification  of  this  data  is  given  below. 

The  table  gives  CPU  time  in  seconds.   All  CPU  times 
reported  in  this  thesis  exclude  time  required  for  input/output 
As  a  measure  of  storage  the  maximum  number  of  event  records 
needed  to  compute  each  problem  is  included  as  "events  stored." 
Also,  the  number  of  equations  printed  into  FTE  is  listed. 
For  all  of  the  fault  trees  except  Nuke,  FTE  was  successfully 
compiled  and  executed,  computing  the  system  failure  proba- 
bility in  less  time  than  required  by  Faulttree.   The  times  for 
execution  of  FTE  are  given  in  Table  3-3  in  the  row  denoted 
FTE  CPU  time. 

Initial  tests  on  Nuke  were  made  using  the  original  data 
file.   The  first  solution  attempt  for  direct  computation  of 
g(F)  required  more  than  five  hours  of  clock  time  for  Fault- 
tree  during  a  low  utilization  period  on  the  VAX.   Exact  CPU 
time  was  not  determined.   When  Faulttree  was  reexecuted  to 
produce  FTE,  over  600,000  equations  were  printed  into  TEP . 
This  subroutine  was  too  large  to  be  compiled.   Further  tests 
were  conducted  with  this  data  alone  with  the  objective  of  re- 
ducing the  number  of  equations  being  printed.   First,  data 
was  generated  from  Faulttree  to  see  what  size  modules  were 
being  located  and  to  determine  the  extent  of  the  reductions 
being  accomplished  by  pivotal  decomposition.   It  was  found 
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that  after  the  first  call  to  Sreduce,  which  removed  only 
six  events,  the  fault  tree  was  a  prime  F-module  with  all  65 
replicated  events  and  339  of  the  original  events  still  intact. 
Several  successful  and  unsuccessful  techniques  were  imple- 
mented for  reducing  the  size  of  TEP .   The  replacement  proce- 
dure was  implemented  in  Sreduce,  and  output  was  reduced  to 
about  425,000  lines.   Up  to  this  point,  replicated  events 
for  conditioning  had  been  selected  randomly.   This  worked 
satisfactorily  for  small  problems.   Various  heuristics  for 
choosing  replicated  events  e.  for  conditioning  were  tested 
with  Nuke.   Three  of  these  which  required  linear  time  com- 
plexity were  choosing  e.  with  (a)  the  greatest  out-degree, 

(b)  the  least  distance  in  links  from  the  top  event,  and 

(c)  the  greatest  distance  in  links  from  the  top  event. 
Implementation  of  heuristic  (a)  reduced  output  to  about 
417,000  lines  while  (b)  and  (c)  increased  the  amount  of  output 
Next,  the  reconfiguration  procedure  was  developed,  and  it 
reduced  the  output  to  about  415,000  lines.   The  heuristic 

for  computing   min  (max|R. |)  for  all  replicated  basic  events 

e^E   jeJ  J 
was  then  added.   This  enhancement  reduced  output  to  2  2  5,000 

lines  of  output.   Finally  a  crude  graphical  representation 

of  the  fault  tree  was  produced  with  the  hope  that  some  visual 

clue  might  aid  selective  conditioning.   Two  sets  of  four 

replicated  basic  events  were  found.   Every  event  in  each  set 

was  linked  to  the  same  two  intermediate  events  of  four 

intermediate  events  total.   The  eight  basic  events  were 
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replaced  in  the  input  data  file  by  two  basic  events  after 
hand- computing  probabilities  for  the  two  new  basic  events 
based  on  the  union  of  the  four  events  each  one  replaced. 
With  this  revised  data,  Faulttree  produced  only  153,733 
equations. 


56 


IV.   RESULTS  AND  CONCLUSIONS 

Pivotal  decomposition  has  been  shown  to  be  a  good  method 
for  computing  system  failure  probabilities  in  fault  trees, 
at  least  for  the  problems  analyzed  here.   The  basic  algorithm 
in  conjunction  with  several  enhancements  has  computed  exact 
probability  for  a  fairly  large  fault  tree  having  345  events 
with  65  of  them  replicated.   Some  of  these  enhancements 
were  key  factors  in  reducing  the  amount  of  computation  re- 
quired by  the  basic  algorithm.   If  other  methods  of  reducing 
this  computation  can  be  applied  to  the  computer  code  developed 
in  this  thesis,  this  program  will  be  capable  of  being  used 
as  a  tool  in  analysis  of  even  larger  fault  trees. 

A.   FINDINGS 

Space  complexity  was  not  a  limiting  factor  in  solving 
any  of  these  fault  trees.   The  greatest  use  of  storage 
occurred  in  computing  g(F)  for  Nuke.   The  total  number  of 
event  records  created  was  less  than  eight  times  the  amount 
needed  to  store  the  original  fault  tree  alone.   Since  the 
recursion  level  was  noted  to  exceed  43  at  some  points  during 
execution,  the  factor  of  eight  is  less  than  might  be  expected. 
The  system  storage  requirements  for  a  high  recursion  level 
such  as  this  are  probably  more  significant  than  the  storage 
of  problem  data.   The  greatest  limiting  factor  for  computing 
probabilities  in  large  fault  trees  is  the  time  complexity 


57 


0  ( 22r  |  L  J  )  which  also  gives  the  complexity  for  the  length  of 
TEP.   In  this  complexity  figure,  the  factor  | L |  is  insigni- 
ficant.  Efforts  to  reduce  complexity  must  be  directed 
toward  the  factor  2  .   The  fault  tree  aspects  which  most 
influence  this  factor  are  the  number  of  replicated  events  and 
the  structural  characteristics  of  the  fault  tree  which  allow 
or  make  difficult  its  modularization.   Even  a  fault  tree  with 
a  large  r  value  should  not  be  difficult  for  Faulttree  to 
reduce  if  it  has  one  of  the  following  three  properties: 
(a)   No  prime  F-modules  contain  a  large  r,  (b)  r  is  greatly 
reduced  after  a  few  recursions  of  pivotal  decomposition, 
or  (c)  non-complex  F-modules  (low  r  per  F-module)  begin  to 
form  after  a  few  recursions  of  pivotal  decomposition. 

Faulttree  and  FTE  have  been  shown  to  be  useful  for  the 
three  fault  trees  Exampl ,  Examp2 ,  and  Aircraft.   Faulttree 
computed  top  event  probability  in  a  fraction  of  a  second, 
and  FTE  used  less  time.   As  a  test  of  applicability  FTE- 
main  was  modified  to  compute  Birnbaum  importances  for  every 
basic  event  in  a  given  fault  tree.   For  each  basic  event  this 
requires  two  computations  of  top  event  probability  by  TEP. 
The  number  of  basic  events  and  time  in  seconds  to  compute  all 
their  Birnbaum  importances  are  shown  in  Table  4  for  the  three 
fault  trees . 

Examp2  is  the  most  complex  fault  tree  of  the  three  as 
evidenced  by  comparing  the  numbers  of  replicated  events  and 
the  CPU  time  required  by  g(F)  for  the  three  fault  trees. 
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Exampl 

basic  events 

34 

CPU  time 

0.017 

TABLE  4 
Time  to  Compute  Birnbaum  Importances  for  All  Basic  Events 

Examp2       Aircraft 
36  61 

0.067         0.017 

(See  Table  3-3.)  For  Examp2,  72  computations  of  g(p_)  are 
made  in  about  one-fifth  of  the  amount  of  time  required  to 
compute  g(F)  directly. 

FTE  was  unable  to  be  tested  on  Nuke  due  to  the  size  of 
the  subroutine  TEP  produced  by  Faulttree.   Direct  computation 
of  g(F)  was  successful,  although  it  required  much  CPU  time. 
The  structure  of  this  fault  tree  impeded  the  formation  of 
proper  F-modules  after  reductions  from  conditioning.   In  fact, 
following  as  many  as  five  conditionings,  no  replicated  events 
are  eliminated  except  for  the  one  conditioned,  and  no  proper 
F-modules  are  created. 

Although  the  version  of  TEP  produced  with  Nuke  is  presently 
too  large  to  compile  and  use,  it  was  reduced  in  size  by  more 
than  75  percent  from  the  first  execution  by  several  innovations 
which  were  discussed  in  Chapter  III.   The  large  reductions 
accomplished  by  the  implementation  of  replacement  show  that 
there  are  many  instances  of  intermediate  events  with  only 
one  unreplicated  basic  event  below.   Although  this  technique 
was  trivially  easy  to  use,  it  was  highly  significant  in 
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reducing  the  size  of  TEP.   The  addition  of  reconfiguration 
to  the  program  reduced  TEP  by  less  than  one  percent.   This 
may  seem  insignificant;  however.  Nuke  only  has  three  2-out-of-3 
events.   Of  the  three,  one  is  reduced  and  disposed  in  the 
first  call  to  Sreduce  leaving  only  two  in  the  fault  tree  for 
pivotal  decomposition.   Before  implementing  reconfiguration 
if  the  cut  vertex  of  an  F-module  F*  £  F  was  a  2-out-of-3 
event,  and  one  of  the  events  connected  into  the  cut  vertex 
was  not  in  F ' ,  then  F'  could  not  be  used  but  instead  served 
to  complicate  F  and  impede  the  computational  process.   It 
is  believed  that  reconfiguration  will  significantly  reduce 
the  actual  complexity  of  any  fault  tree  with  many  2-out-of-3 
events . 

The  heuristic  for  selecting  events  to  condition  reduced 
the  size  of  TEP  by  45  percent.   Although  this  heuristic  results 
in  increased  time  complexity  for  Faulttree,  the  great  reduc- 
tion in  the  size  of  TEP  is  worthwhile. 

It  is  hoped  that  pivotal  decomposition,  combined  with 
techniques  discussed  in  this  thesis  and  other  techniques, 
will  be  useful  in  the  analysis  of  large  fault  trees.   More 
methods  of  making  reductions  and  locating  F-modules  exist. 
However,  time  limitations  preclude  their  application  in  this 
thesis.   It  is  believed  that  the  addition  of  some  of  these 
other  methods  to  Faulttree  would  greatly  increase  the  range 
of  solvable  problems. 
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B.   SUGGESTED  FURTHER  RESEARCH 

There  are  many  further  enhancements  to  the  pivotal 
decomposition  method  of  fault  tree  probability  computation 
which  could  increase  the  usability  of  Faulttree. 

This  thesis  used  the  2-out-of-3  event  to  demonstrate  how 
techniques  for  K-out-of-N  events  can  be  applied.   Specific 
K-out-of-N  events  would  be  easy  to  implement  in  the  existing 
program.   Other  possible  enhancements  could  be  the  addition 
of  algorithms  to  compute  probabilities  of  a  general  K-out-of-N 
event  during  simple  reductions.   To  be  of  any  practical  use, 
this  algorithm  must  handle  a  set  of  input  events  with  unequal 
probabilities.   In  conjunction  with  this  there  should  be  a 
method  for  reconfiguration  of  an  F-module  with  a  general  K-out- 
of-N  cut  vertex. 

There  exist  other  methods  of  locating  F-modules  and 
generalizations  of  F-modules  that  can  locate  more  useful 
structures  which  are  overlooked  by  the  depth  first  search 
method  applied  here.   The  method  used  in  this  thesis  only 
locates  an  F-module  which  is  attached  to  the  fault  tree 
by  a  cut  vertex.   Wood  [Ref.  30]  uses  a  search  for  tri- 
connected  components  in  solving  network  reliability  problems, 
and  this  method  could  be  used  to  locate  F-modules  connected 
by  separating  pairs.   Applied  to  this  algorithm  for  fault 
trees,  additional  F-modules  would  be  located  which  aren't 
being  located  by  the  present  method.   For  example,  the  two 
sets  of  four  replicated  events  which  were  reduced  to  two 
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replicated  events  by  hand  computation  were  both  examples  of 
tri-connected  components  which  would  have  been  detected  and 
reduced  as  F-modules  thus  reducing  the  overall  problem 
complexity. 

It  may  be  sufficient  in  many  applications  to  compute 
g(F)  approximately  or  to  obtain  upper  and  lower  bounds  on 
g(F).   Corynen  [Ref.  26]  is  able  to  solve  large  problems  and 
obtains  accurate  bounds  without  considering  all  branches  of 
the  backtrack  search  structure.   In  Faulttree,  lower  bounding 
could  be  accomplished  by  saving  the  product  P,  of  the  proba- 
bilities of  all  events  which  have  been  conditioned  up  to 

recursion  level  k.   The  most  recent  value  of  P,  for  all  k 

k 

is  saved  so  that  it  is  available  during  backtracking  and 
further  recursion.   When  P.  <  6  for  some  small  6  >  0,  then 
further  recursions  are  unnecessary  since  the  term  in  the 
pivotal  decomposition  algorithm  is  approaching  zero.   The 
algorithm  can  backtrack,  and  the  term  associated  with  the 
current  recursion  need  not  be  added  into  the  computation 
of  g(F) .   If  used,  this  method  removes  Faulttree  from  the 
realm  of  exact  methods ,  and  it  might  be  risky  to  use  the 
resulting  expression  for  computation  of  system  failure  proba- 
bility when  the  p.  values  vary  over  a  wide  range. 

There  is  surely  a  lower  bound  on  the  number  of  equations 
which  must  be  written  to  give  an  expression  for  g(p_)  for  a 
particular  fault  tree.   For  some  large  fault  trees  the  lower 
bound  will  be  too  large  thus  preventing  the  compilation  of 
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the  subroutine  TEP .   In  this  case  TEP  can  be  subdivided  into 
multiple  subroutines  to  be  compiled  separately  and  linked  for 
execution. 

By  including  some  of  these  suggested  additions  to  the 
work  already  accomplished,  it  is  believed  that  Faulttree  and 
FTE  will  be  useful  tools  for  fault  tree  analysis. 
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